Introduction

With Open-AudIT 2.3.2 we have introduced the ability to customise both the scanning options for Nmap and the device matching rules - per discovery.

The Nmap scanning options are contained in a new endpoint (or collection) named nmap_scan_options. You can create your specific options and save them as an item, then use them in your discoveries.

Community users have the ability to select one of the supplied discovery scan options and use it as the default for all scans. Community users will use the default configured matching rules in the configuration as per previous releases for all scans.

Professional users can select an individual discovery scan options entry per scan. Professional users will use the default configured matching rules in the configuration as per previous releases for all scans.

Discovery Scan Options

The options contained within a discovery scan options entry are as below.

Must Respond To Ping

If set, Nmap will fist attempt to send and listen for an ICMP response. If the device does not respond, no further scanning will occur. Previously a device did not have to respond to a ping for Open-AudIT to continue scanning.

Use Service Version Detection

When a detected port is detected as open, if set to 'y', Nmap will query the target device in an attempt to determine the version of the service running on this port. This can be useful when identifing unclassified devices. This weas not previouslt used.

Consider Filtered Ports Open

Previously, Open-AudIT considered an Nmap response of "open|filtered" as a device responding on this port. This has caused some customers issues where firewalls respond on behalf of a non-existing device, and hence cause false positive device detection. We now have this attribute available to set per scan.

Timing

The standard Nmap timing options. Previously set at T4 (aggressive).

Top Nmap TCP Ports

The top 10, 100, 1000 ports to scan as per Nmaps "top ports" options. Previously we scanned the Top 1000 ports (the Nmap standard).

Scan for this port and if detected open, use this port for SSH communication. This is added to the list of Custom TCP POrts above, so there is no need to include it in that listr as well.

When creating a discovery in Enterprise, the screen now looks as below ()after Advanced has been clicked).

As always, you can simply set the name and subnet to be scanned and the defaults (as per the confiuguration) will be used and you're off and running. If you want to change individual items per scan, click the Advanced button and you have full access to all fields.

Professional users are able to select the Discovery Options from the dropdown, but not customise individual attributes.

Click for larger image.

Open-AudIT Enterprise

New Feature

Discovery specific scan and match options.

Open-AudIT

Improvement

Add a 5 second delay for invalid logon attempts.

Open-AudIT Professional

New Feature

Add "Debug" under the users name (top left) which shows JSON output similar to what COmmunity has had for some time.

Open-AudIT Community

New Feature

Add timings for major sections of the response to the META sections of the output (visible using Debug).

Open-AudIT Community

Improvement

Refine processing a device. Do NOT populate "hostname" with "dns_hostname". Populate name with hostname, sysName, dns hostname then IP in that order.

Open-AudIT Community

Improvement

Add a new column - system.identification. Populate upon scan or audit processing.

Open-AudIT Professional

Improvement

Display the "identification" column in the default list when showing the device list.

Open-AudIT Community

Improvement

Improve discovery logging. Log at severity 5 when no working credentials are found or no management protocols (WMI, SSH, SNMP) are returned.

Open-AudIT Community

Improvement

Do not unset the device type if all we have is an Nmap result (ie, MAC manufacturer = Apple or port 62078 is open and device name contains iphone, set device even with just an Nmap scan to iphone).

Audit code (in audit_windows.vbs and audit_linux.sh) that correctly parses and inserts as XML the devices open netstat ports. Correspondingly, process this data as per other data with no requirement to parse the raw netstat data within the Open-AudIT server.

Open-AudIT Community

Bug

NMIS export now renders correctly and does not error out.

Open-AudIT Community

Bug

Add the discovery data to the response so when requested from OAP/E, we don't produce an error because of a GET but no data returned.

Open-AudIT Community

Improvement

Remove discovery logs from a JSON read request to discoveries. We should now use the /discovery_log endpoint.

Open-AudIT Professional

New Feature

Add a button on the discoveries_read template to enable use to export all relevant discovery information.

Open-AudIT Community

Improvement

In audit_windows.vbs, wrap attempt to talk to domain in an on error resume next to prevent breakage when talking to an openLDAP domain.

Open-AudIT Community

Bug

Fix broken service, user, route sections on device details page.

Open-AudIT Community

Improvement

Add a new device type of Unclassified. If we have limited information about a device, but Do have something lile a manufacturer derived from a MAC or a port is open, then the device is now classes as Unclassified, not Unknown.